Succeeding with Azure Sentinel workbooks

August 23 2022

I recently completed a project for a client to implement Microsoft Sentinel. If you are not familiar with Sentinel, it is cloud native SEIM/SOAR (Security Event & Incident Management / Security Orchestration Automation Response) tool that provides attack detection, threat visibility, proactive hunting, and threat response.

Sentinel utilizes workbooks to automate data collection and correlation. Sentinal workbooks are a nice tool that automates a lot of information gathering and analysis. At a high level, workbooks host queries on specific data within your Azure tenant. For example, I have workbooks showing Dynamics 365 logins, log outs, and what users are accessing. I have another that looks specifically at App Gateway traffic for details like how busy the system is, measured by the number of concurrent connections. Workbooks can query very specific data points among your resources.  

This particular client needed to demonstrate some ISO compliance. They were going through an ISO audit, and I created a workbook to look for compliance items as specified in the ISO audit. At the end of the audit, you could click a button and show their internal ISO compliance team a report. They were very happy with it.

Workbooks are helpful, but it is important to keep in mind that a lot of development work may be needed on the backend to get the workbook running right. Sentinel doesn’t actually get the reporting information itself. Sentinel is a dashboard, presenting information in an organized format.

Taking ISO compliance as an example, there are several ISO standards, and there are different workbooks for different ISO standards. For a similar reporting scenario, you could download the workbook you need and run it. When it runs, it will show where you are compliant or not compliant. If you did not have a Sentinel workbook you would have to go all over the tenant looking for compliance rules, whereas it centralizes the information for a nice report.

Many of the workbooks are created through the Sentinel community. The ISO-related workbook came from the ISO community. Fortunately, many already exist off the shelf. Just download it and make a few changes to modify it for your environment. One of the best ways to find workbooks is through GitHub. There is a repo of these workbooks that the Azure Sentinel community has started.

About Jeff Christman

Jeff Christman is a Navy Veteran with over 20 years of experience in the IT field. Specializing in cloud migrations, he has worked for companies such as Raytheon, AT&T, and NASA. Currently, he is a Sr. Cloud Security Consultant at a large consulting firm. In addition to his daytime job, he also has published content and courses for Pluralsight.com, Techsnips.io, and Adamtheautomator.com. 

In his off time, he loves fantasy football, everything tech, and embarrassing his teenage daughters.

More about Jeff Christman